Microsoft Sentinel with Firebox Cloud Integration Guide

Microsoft Sentinel is a scalable, cloud-native security information event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise and provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

This document describes the steps to integrate Microsoft Sentinel with your WatchGuard Firebox Cloud.

Platform and Software

Test Topology

Before You Begin

Before you begin these procedures, make sure that:

• You have the resource group and workspace configured in Microsoft Sentinel
• You have created a virtual network in the Azure portal
• You have created and configured the rsyslog server
• Your rsyslog server can receive WatchGuard Firebox Cloud logs
• You have a WatchGuard Firebox Cloud deployed on Azure (see Deploy Firebox Cloud on Microsoft Azure)

Set Up Microsoft Sentinel

1. Log in to the Azure portal with your Microsoft Azure account credentials.
2. Search for and click Microsoft Sentinel.

3. Select your workspace.
4. Select Configuration > Data connectors.
5. Search for and select the WatchGuard Firebox connector.

6. Click Open connector page.
7. Select the Instructions tab.
8. In the Configuration section, expand Install agent on Azure Linux Virtual Machine.
9. Click Download & install agent for Azure Linux Virtual machines.

10. Select your rsyslog server, and click Connect.
11. After a successful connection to your rsyslog server, go back to the WatchGuard Firebox connector page.
12. Click Open your workspace agents configuration.
13. Select the Syslog tab.
14. Click Add facility to add the facilities you need (for example, local0 to local7, kern, and syslog).

15. Click Apply.
16. Go back to the WatchGuard Firebox connector page, and in the Configuration section, click Follow these steps.
17. Copy the values from the WatchGuard syslog Parser page. You need this information in Step 20.
18. Close the WatchGuard syslog Parser page, and go back to your Microsoft Sentinel workspace page.
19. Select General > Logs.
20. Follow the WatchGuard syslog Parser page description, and paste the values from the WatchGuard syslog Parser page into the logs query window.

21. Select Save > Save as function.
22. In the Function name text box, type WatchGuardFirebox.
23. In the Legacy category text box, type WatchGuardFirebox.

24. Click Save.

Set Up Firebox Cloud

1. Log in to Fireware Web UI (https://<Eth0_public_IP>:8080).
2. Select System > Logging.
   The Logging page opens.
3. Select the Syslog Server tab.
4. Select the Send log messages to these syslog servers check box.
5. Click Add.
   The Syslog Server dialogue box opens.
6. In the IP Address text box, type the IP address of your Microsoft Sentinel Agent.
7. In the Port text box, type 514.
8. From the Log Format drop-down list, select Syslog.
9. Select the syslog facility you need (for example, default settings).

10. Click OK.
11. Click Save.

You can configure logging in many locations in the Firebox Cloud configuration, such as policies and proxies. Make sure you select Send a log message when you want the Firebox Cloud to generate a log message for an event.

Test the Integration

1. After Firebox Cloud begins to send log to Microsoft Sentinel Agent, on the WatchGuard Firebox connector page, select the Next steps tab.

2. Select the first query sample. Click Run.
   Information about the query appears.

Filter Logs

Information from sources other than the Firebox Cloud can sometimes appear in syslog data. For example, in the query results shown in the Test the Integration section of this document, Ubuntu events are not related to Firebox Cloud. To run a query that returns events from only Firebox Cloud, you can filter the query by host name or computer.

An example query that only includes events from the host name Firebox: